I'm automating a Jenkins deployment which involves using the Google Login plugin using Ansible.
This plugin encrypts the value of the secret key at rest.
After some digging I found the relevant code which encrypts secrets in Jenkins. The code uses an AES cypher and
custom serialization which appears to be base64 in a very specific format.
The encryption key is stored in a CredentialsStore (see here and here).
I'd like to provision the encryption key and the Google Apps secret key using Ansible but I'm not sure how exactly to do so.
I can write a Python module that encrypts the Google Apps secret key the same way Jenkins does but I don't understand how to read or write to the DefaultCredentialStore.
How do I store my encryption key without using the Java code?
Is there a less tedious way to do this automatically?
Related
I would appreciate clarification and advice on the following:
i am working on secure file transfer using SFTP protocol. We use PGP public/private key pair for file encryption and decryption . for a time being we keep our public/private key in local system. but as per requirement we want to keep these keys on Azure's keyVault . But i didn't found any document related to import my existing PGP public/private key in Azure's keyVault.
I am confused after reading MS Azure's documentation and related blog posts, where some sources claim Asymmetric key encryption is supported, but there is no official documentation on this.
It's obviously a late response but just for anyone landing here -
Do a Base64 encoding of the PGP key's content and store the encoded string in an Azure Key Vault Secret. Just decode the key before using it for encryption / decryption.
When you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. The HSMs are FIPS 140-2 Level 2 validated. Azure Key Vault uses nCipher nShield family of HSMs to protect your keys.
Use the information in this topic to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.
This functionality is not available for Azure China.
You can read more about it in below docs:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys#prerequisites-for-byokTo
https://id-3.co.uk/bring-your-own-key-what-is-it-and-what-are-its-benefits/
https://youtu.be/lOpaD4vShsU
Hope it helps.
I examine Jasypt for storing database encrypted passwords in property files. It has good integration with Spring etc., but approach of that this guys propose for encrypting password looks a bit weird as for me:
Use PBE (symmetric algorithm) encryption.
Store password for encryption/decryption in environment variable or in source code.
Both options look unsafe and a bit insecure.
My questions:
What is the best practice for storing encrypted passwords?
Can I use key based encryption (i.e. private/public keys) here?
In our application we use two approaches:
We use a enterprise password vault which stores the passwords for all our databases. Our web sever requests the password from the vault to connect the database every time.
We store Encrypted passwords in properties file.
And during the application startup we read the properties file using class loader and keep it as a system variable and use it whenever needed.
It is difficult to have public/private key encryption directly with db, you would need an intermediary to do this.
I have to implement AES Encryption/Decryption having following scenerio.
There are 2 applications App1 and App2 running on different servers.
App1 will encrypt(using AES Encryption) some data and give it to App2. App2 will decrypt the same data using AES decryption. The secret key needs to be shared with App2 for decryption.So, how to share the secret key with App2 ? Can we use java keystore in this case ?
Can we use java keystore in this case?
A Java keystore file could be used to share the key data, but you would need to password-protect this file to ensure other parties cannot read the key. So you've only changed the problem to how to securely share a password.
A common way to solve your original problem is to use asymmetric cryptography. By encrypting the AES key with a public key held by your recipient, you've ensured no others can read the key data. However, you will still need a method of determining that the public key corresponds to your intended recipient. For that, most people revert to a PKI of some description.
This is a broad subject area and worthy of some further reading on your part before you determine the correct approach for your use case.
You need to implement Diffie Hellman Algo! Watch this on youtube Watch this simple youtube explanation!
I am building my website in which I am facing problems with implementing encryption. I am developing it using RESTful web services in java.
I found GibberishAES API for encryption from javascript. The encrypted message now goes to web service, but I have no clue how to decrypt it in the (java) web service. I know GibberishAES is not available in java, but is there any roundabout way?
Or, are there any encryption APIs which are supported for both Java and Javascript?
I also have the issue with (symmetric) key distribution for the website. It will have 100's of client (machines, in public network) and I don't know how to communicate the unique key for a particular machine to it.
Please help me with pointers in this regard.
GibberishAES implements AES encryption. AES is a symmetric cipher, that means that both parties must know a shared key. The problem of distributing the key is not trivial, and there exist well-known algorithms for doing so.
As it was mentioned in some comments, SSL already solves that problem, because it negotiates the generation of a distributed secret key, that is later used for encryption. If for any reason you cannot use SSL, you should adopt some mechanism for secure generation or transport of the secret key. For instance, you could generate a ephimeral RSA key pair in the client, send the public key to the server, and have the server return the secret (AES) key in wrapped form.
I am trying to make a PHP script to interact a with a Java application. They will share some information, so I would like to encrypt the data that is passed between them to make it as secure as possible, on top of having an SSL certificate. However, because my website is only on a shared server at JustHost, as far as I am aware I can not use the 'mcrypt' PHP module, so I'm not sure how to do it so that both my Java application and the PHP script can encrypt data being sent and decrypt data being received!
Your SSL conversation between Java and PHP will protect it your data while it's in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation.
You won't get any extra protection by encrypting the data before sending it over the SSL conversation. And you actually might be weakening your security because in order for you to encrypt data you'll have to share some key should you choose symmetric encryption. And, by trading secret keys you're undoing much of the protection SSL gives you because the huge benefit of SSL is the fact we can encrypt data without agreeing on a secret key. If I were trying to get at your encrypted text I'd attack your client because it's easier to find your symmetric encryption key than it is to break SSL. And while you could use asymmetric encryption you'll be basically re-inventing SSL.
I would focus on making sure your SSL conversation is strong. Using only the strongest symmetric encryption: TripleDES, IDEA, AES if your server supports it. Take out the weaker algorithms so conversations can't use the weaker encryption. Generate 1024+ public/private key pairs. That might not always be easy on your shared server, but your Java application could only choose to use TripleDES, IDEA, and AES.
Make sure you validate the server's certificate on the client side so you ensure you aren't talking to a false service. That basically means taking the server's certificate and adding it to the keystore used on the client. If that's Java you can use keytool to import a certificate and use that keystore as your TrustManager/KeyManager in your SSL conversation.
If you want to encrypt the data after it's gone over the SSL conversation then you can encrypt/decrypt on the server only. But, you still have a key management problem. If you encrypt/decrypt how do you plan on securing the secret key on the server? That's always the ugly problem that doesn't have a simple answer.